A. When a machine is in a domain the domains EFS recovery agents is used to decrypt files for which the user has lost their private key.
In a workgroup or in a 4.0 based domain the recovery agent is the local Administrator so its vital to backup the Administrators private key. To do this perform the following:
- Logon to the computer as the local Administrator account
- From the Start menu select Run
- Enter the name 'secpol.msc'
- Expand the 'Public Key Policies' branch and select 'Encrypted Data Recovery Agents' leaf
- A certificate for Administrator with the role of 'File Recovery' will be displayed
- Right click on the certificate and select 'Export' from the 'All Tasks' context menu
- The certificate export wizard will start. Click Next
- You have the option to also export the private key, select Yes. Click Next
- Make sure 'Enable strong protection' is selected and click Next (you also have the option of removing the private key after it is backed up)
- Enter a password for the exported key. Click Next
- Enter the name for the exported file. Click Next
- Click Finish
- Click OK when the export is complete
- If you choose to remove the private key after export you should now restore the computer
A file will now have been created in the target location containing the certificate. Make sure you keep it safe. Its only about 2KB.
0 comments
Hide comments